LDAP is easier to DOS that kerberos.
I've seen instances with OpenLDAP where bad code in a web app caused clusters of LDAP servers to run out of connections but the kerberos servers stayed up so none of the users noticed because of SSSD and or nscd had the data from the LDAP servers cached. In those instances keeping the kerberos servers separate saved the day, because if they had shared their database it would have locked out all of the users.
From: Joshua Brodie
Sent: Friday, September 25, 2015 15:36
To: General discussion list for the 389 Directory server project.
Reply To: General discussion list for the 389 Directory server project.
Subject: [389-users] Kerberos KDC
On a large 389 implementation - where downtime is not an option - are there pros/cons to having the KDC on same server as 389 (sharing the database) - or having the KDC on separate, redundant, servers?